what logs show me that the user disable access protection and on-access?

i have an assistant who can disable and anable the VSE on clinets . so i want to know what logs not reportes on dashboard show me whitch system he disable the access protection or on-access protection even for 1 min?

Re: what logs show me that the user disable access protection and on-access?

There are no logs that show who disabled OAS/Access Protection on a workstation or server. However, these settings are only accessible via the local console for VSE, on this basis you can say that the "logged in user" made the changes ( if they are not done by ePO). If the user allows someone else to change these settings then maybe a discussion needs to be had around company policy etc.

However, also in the local console or via ePO you can set a password to "lockout" the local console and prevent users from making these changes.. I suggest this would be the best course of action at this point.

Also, if the logged in user has a "restricted" or "user" account, they cannot make these changes by default as the cosole is locked out. Where the user has a local administrator account then you should set a password via policy to prevent an "admin" user from making changes.

Re: what logs show me that the user disable access protection and on-access?

@MMJ The log files will not show you if Access Protection has been disabled or not. If it's disabled, you just won't see any new entries in the logs.

All VSE product logs can be found under %programdata%\Mcafee\DesktopProtection\Logs

Was my reply helpful?If this information was helpful in any way, or answered your question, will you please select "Accept as Solution" in my reply, or give kudos as appropriate, so together we can help other members?

Re: what logs show me that the user disable access protection and on-access?

There are no logs that show who disabled OAS/Access Protection on a workstation or server. However, these settings are only accessible via the local console for VSE, on this basis you can say that the "logged in user" made the changes ( if they are not done by ePO). If the user allows someone else to change these settings then maybe a discussion needs to be had around company policy etc.

However, also in the local console or via ePO you can set a password to "lockout" the local console and prevent users from making these changes.. I suggest this would be the best course of action at this point.

Also, if the logged in user has a "restricted" or "user" account, they cannot make these changes by default as the cosole is locked out. Where the user has a local administrator account then you should set a password via policy to prevent an "admin" user from making changes.

Re: what logs show me that the user disable access protection and on-access?

So far there are no logs that facilitates your requirements. However, you may create a query to check the list of machines along with the users where the Access Protection is in disabled state and could bring this report to your ePO dash board.

In addition, you may lock the console from the ePO with a password that would not allow the user to make any changes.

Check out the new ePO Support Center. Simply access the ePO Software Manager and follow the instructions in the Product Guide for the most commonly used utilities, top known issues announcements, search the knowledgebase for product documentation, and server status and statistics – all from within ePO.